HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.1.1 - important security & bug release

LincLinc Detroit Admin
edited August 2014 in Releases

Announcing the availability of 2.1.1, a security & bug fix release for 2.1.

It is imperative all 2.1 forums upgrade immediately.


  • HtmLawed was upgraded to close an XSS vector (thanks to Psych0tr1a for responsibly disclosing this to us & to HtmLawed for a fast patch in response).
  • Multiple XSS exploits were fixed (thanks to @x00 for responsibly disclosing and both he and @businessdad for assistance in making our patches as bulletproof as possible).
  • Fixed a Twitter SSL bug (thanks @Adrian for the patch).
  • Fixed a missing permission check in the sorting utility (thanks @R_J for the patch).
  • cleditor was patched to fix a crippling IE11 bug.
  • Profile Extender was upgraded and a security flaw in it was fixed.
  • Fixed a bug in Announcing while starting a discussion.
  • Corrected the default theme README.
  • Backported GDN_UserAuthenticationProvider.IsDefault so the latest version of jsConnect will work with 2.1.1.
  • Fixes a theme screenshot bug (thanks @hgtonight‌ for the patch).

As you can see, some extremely critical fixes are included. The only feature addition is those added to the Profile Extender addon as a result of getting backported from 2.2 (master) branch.

Diff of 2.1.1 against 2.1 gold. (32 files changed, so I don't recommend a selective upgrade on this one.) has the same XSS issues and its patch will be released this weekend is available here as



  • businessdadbusinessdad Stealth contributor MVP

    Thanks for the update @Linc. Looking forward to the patch for 2.0.x. I know it will be a pain, but I will need to do a diff before updating, as I had to change a core model to fix some performance issues (which will probably be unaffected, but better safe than sorry).

  • LincLinc Detroit Admin

    @businessdad The 2.0 patch will be much more limited since it will selectively be targetting the XSS.

  • LincLinc Detroit Admin

    Edited OP to link to 2.0 patch which is out now too.

  • How does one upgrade 2.1 already installed? Is there like an autoupdate feature or do you have to download the zip and upload via FTP?

  • LincLinc Detroit Admin
    edited August 2014

    @MichaelCS The upgrade instructions are in the README file. Yes, the upshot is: upload the new files, replacing the existing ones. We do not have an auto-update feature.

  • MichaelCSMichaelCS New
    edited August 2014

    Fair enough I will do that sometime tonight after I'm done Rome II battles. My Vanilla Forums is on a sandbox server while we debate contracting you Vanilla people for a theme and plugin implementation LOL

  • AnonymooseAnonymoose ✭✭
    edited August 2014

    Good to see the update. Thanks.

  • Thanks

    grep is your friend.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    For those using Emotify plugin, if you have custom images/settings, make sure you back up before upgrading, as the files are over-written.

  • LincLinc Detroit Admin

    If it wasn't obvious, anyone using the master/2.2 branch needs to upgrade to (current HEAD) as well.

  • hmalaudhmalaud New
    edited August 2014

    Hello all,
    I can't install the new archive (08.02.14 - 2.1.1) either on local or on distant server. On both, page does not open (it stays blank) and I can't start the setup process. Sorry if I didn't post in the right category.
    Any thoughts?

  • LincLinc Detroit Admin

    @hmalaud Would be a good idea to start a new troubleshooting discussion.

  • Ok thanks Linc I'll do that.

  • Currently running Vanilla - will it be possible to upgrade directly to this version?


  • LincLinc Detroit Admin
    edited August 2014

    @blizeH It is, but please follow the 2.0 -> 2.1 upgrade instructions that has an extra step or two (including deleting an old file). You may need to run /utility/update more than once.

    I recommend testing your theme & plugins on a separate 2.1 test install first to make sure it's compatible unless you've already verified they all work. There were a few backwards-compatibility breaks.

  • That's great, thank you Linc

Sign In or Register to comment.